Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160822183717.D769F6DC3AF@smtpvmsrv1.mitre.org>
Date: Mon, 22 Aug 2016 14:37:17 -0400 (EDT)
From: cve-assign@...re.org
To: meissner@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: Linux kernel crash of OHCI when plugging in malicious USB devices

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Perhaps we need to add more criteria to select CVE assignment.

Because we're not in a position to have a CVE ID for every bug that is
possibly of security relevance to anyone, one question is whether the
cost of having an ID is too high given the benefit of the ID to risk
management. Our understanding of the prevailing response theme is that
system administrators typically shouldn't have an expectation that the
OS (or the hardware) can continue running if an attacker can connect
an object of their choice to a USB port. This seems consistent with
the criteria that you listed. If there are, for example, Linux
distribution vendors that plan to engage their full
vulnerability-management process to produce and announce an
end-user-consumable kernel update that resolves only a single simple
DoS issue (requiring physical access to a USB port), then we may need
to reconsider. Costs to maintaining a large number of Linux kernel
CVEs for this specific type of simple DoS include:

  - there is a potentially misleading message that it is "common" to
    track this type of bug as a vulnerability

  - there is a potentially misleading message that USB in the Linux
    kernel has many vulnerabilities, whereas USB in another product
    (such as a closed-source OS) does not

> That said, this leaves malicious USB devices posing as regular keyboards
> for text injection unclassified ...

There has been a related CVE for five years (CVE-2011-0640), although
selecting udev as the responsible component was probably not the right
approach, and maybe that CVE should be updated or rejected. We think
the current understanding, very roughly, is:

  - the Linux kernel does not require a configuration in which a newly
    connected USB device is recognized in any way

  - a Linux distribution may ship with a default configuration in
    which a newly connected USB device can operate as a keyboard and
    inject text into an application

  - some Linux distributions want to have this behavior, and their
    maintainers have concluded that there is no comprehensive method
    for "asking a user" about a new USB device in a way that is
    compatible with all use cases

  - if anyone (whether a Linux distribution or other type of product)
    is announcing a required security update, in which software or
    configuration is being changed to address malicious keyboard
    attacks, then we can assign a CVE ID to associate with the update
    announcement

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXu0WUAAoJEHb/MwWLVhi2SA8P/A/bNt12snkfgrrXfULX1RgT
9Llg1hfUuk1EykVkV0iePtitcudpMeIDdoM//fodR8BvsHdBhvyx2Jv4cHlolxrL
R4I5HjecgFVLBFRIE9Ze2Cw85xM0N/CEmxeKnJ6neUxmNFTA1ciK5SguJZINn4vv
YAzq4385oFJ8DYpB7KZ/WgUhYV+woNsiFqjm3PmbfDYpFp1Qg5w72HAunCTam4IT
j/SHTYq/Ntr6aezzs65uinzP4yh2hS6SuAui81z+Sjhc6FzBndizK2h4GTzerG3s
X2tUG+ogzSREro+jiVQh6EORYhMGnQfUv0zvYd3Y3I0VVkpvUXOcHBgNGIsSC0B4
SZSvF8zQ9zqJqzvI7vwQs5ODfdwivS99nFjeNND0dNSKscSXPCjZ/Xtl61xu2k2y
zjq9V3BN1UAk9kgIBgsV2tTEdwUL2bqgC7u+dNVMqzw/ms62cZQzKdvCFdIBCUt8
SO4BXad5KoOA22FgpleG1LTcsZEFPxlvbJ845Vab3lpyFJnnXofuxi31EcJsDLWI
23OmxgoYUPp2p7g0RjYi5k3oqNO84nOZKG8RUJl9r6xTZh41ftS7fUHpQsnc8hiw
vIvVOxgr6yrhp+JusTuas6doQhr4Mev8Cz1b460Fb6R14TE2G2r0/ooR3OtgkGAE
p7l0Yj54nVW00GrVSwWd
=XrOI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.